DKIM last chance for mail service ? - PowerPoint PPT Presentation

1 / 17
About This Presentation
Title:

DKIM last chance for mail service ?

Description:

DKIM last chance for mail service ? Mail service status More and more spam, fishing, spoofing, virus More and more energy in spam fighting More and more messages lost ... – PowerPoint PPT presentation

Number of Views:21
Avg rating:3.0/5.0
Slides: 18
Provided by: aumont
Category:
Tags: dkim | chance | last | mail | service | spoofing

less

Transcript and Presenter's Notes

Title: DKIM last chance for mail service ?


1
DKIMlast chance for mail service ?
2
Mail service status
  • More and more spam, fishing, spoofing, virus
  • More and more energy in spam fighting
  • More and more messages lost because
  • Imperfect automatic filtering
  • User error while removing spam
  • Delivery report unusable (too many return for
    spoofed email)
  • Trust in mail service is low now.

3
Authentication
  • Authentication is not the ultimate solution but a
    pre-requisite to dissuade from many abuse
  • PGP and S/MIME in a wide area are in defeat
  • too complex for users
  • need to deploy private keys to end users
  • S/MIME expensive PKI, sharing trusted CA model
    is only commercial,

4
Sender Policy Framework
  • A kind of reverse MX .
  • Do not authenticate message itself but the
    message server origin.
  • Altered by forwarders so require one of
  • SRS (Sender Rewriting Scheme)
  • srs0yf09Cworig.orgalice_at_forwarder.org
  • SMTP Responsible Submitter extension
  • MAIL FROMltann_at_orig.orggt SIZE1000
    SUBMITTERltbob_at_forwarder.orggt

5
DKIM
  • Signs message with asymmetric cryptography
    (similar to PGP and S/MIME)
  • Neither certificate authority nor web of trust".
    Trust being based on the domain administrative
    delegation model. Public keys are published using
    DNS.
  • In most case messages are signed by the MSA so
    private keys are stored by that MTA, no
    distribution to end user

6
DKIM
  • Signs body and some headers
  • Signature header DKIM-Signature
  • Public key stored in DNS
  • _domainkey subdomain
  • selector subdomain
  • DKK new RR type, fall back to TXT

7
Example
The signature algorithme
The signer
Acces method to the public key
  • DKIM-Signature arsa-sha1 qdns
  • dexample.com
  • iuser_at_example.com
  • sjun2005 cnowsp l12345
  • t1117574938 x1118006938
  • hfromtosubjectdate
  • bdzdVyOfAKCdLXdJOc9G2q8LoXSlEniSb
  • avyuU4zGeeruD00lszZVoG4ZHRNiYzR
  • Query DNS for
  • jun2005._domainkey.example.com

Canonicalization algorithm
Length of body used for signature
Validity period
Headers part of the signature
B64 encoded signature value
8
Sender Signing Policy 1/2
  • If a message contain a valid DKIM signature and
    if sender and signer are the same, the message is
    valid.
  • What happens else ?
  • SSP is a way for the sender to publish
    information so the signature verifier can decide
    if the message is suspicious or not

9
SSP2/2
  • Use DNS (DKP or TXT RR)
  • Result is one of
  • Some message of this entity may not be signed
  • All message must be signed by the originator
  • All message must be signed by originator or
    behalf a third party (mailing list,
    outsourcing,)
  • Check individual level
  • Sender never signs message

10
DKIM versus S/MIME
  • Not any expensive PKI deployment needed
  • Depend on DNS security
  • Not designed for end user to end user signature
    validation
  • No private key for end user
  • No change on MUA
  • Signature validation by one of the receiving MTA
  • Headers part of the signature
  • Sender Signing Policy

11
DKIM threats analysis
  • Discussion about DKIM are huge because needs and
    implications concern all the Internet.
  • A lot of critic about DKIM along the mailing
    list archive
  • DKIM threats is draft that summarize it
    http//www.ietf.org/internet-drafts/draft-fenton-d
    kim-threats-02.txt

12
Some identified limits
  • DNS pollution
  • Exploit body length limit
  • Canonicalization abuse
  • Use of revoked key
  • Signed message replay
  • DOS attack against DNS or signer verifier
  • Compromise of MTA signing server
  • Look-alike domain names (O/0 l/1, .)
  • Short time domain names

13
DKIM and MLM
  • Still an open discussion because no RFC specifies
    whats a MLM.
  • Some says a MLM is forwarder
  • Some says a MLM is a remailer
  • A forwarder must just preserve existing signature
  • A remailer may remove existing signature and
    apply its own one.
  • Forwarder is simple but may ease replay attacks
    and dont solve the question of MLM reputation
  • Remailer are very complex

14
Message service architecture
  • Signature added by the MSA require any mail
    received to be authenticated first.
  • SMTP-AUTH (port 587) should be used for roaming
    and non roaming users.
  • SMTP/AUTH make logs more valuable
  • Can block many botnets/Virus
  • Outgoing access to port 587 in hotspot
  • Internet draft Email Submission Access and
    Accountability
  • http//mipassoc.org/spamops/draft-hutzler-spamops-
    05.txt

15
Mail service architecture and DKIM
Add DKIM signature
Output MTA
MSA (port 587)
UA
Signature and SSP check
UA
SMTP auth
MX
Filtering service
SMTP auth
16
packages
  • Opensource
  • libdkim W32 from ALT-N
  • Dkim-milter from sendmail
  • Dkimproxy from Jason Long
  • Commercial
  • Mdaemon ALT-N
  • powerMta port 25
  • Strongmail strongmail

17
(No Transcript)
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "DKIM last chance for mail service ?" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!